NPM Node question

Hi guys! I have a question about npm, the package manager node.js uses.
What security measures this thing has? I read in the tutorial ‘how-to-npm’ that it is possible to accidentally publish private data by just being in the wrong directory and typing in the wrong npm command. It is really that easy to leak all that private information? … and what about this version command (every single application except this ones uses that ‘version’ keyword to get the version but npm uses it to upload files…)

Also, what exactly this adduser command does? I tried it and then tried to login in their page but it said that the account doesn’t exist.

It sounds like the security concerns are about uploading your own packages to npm, which you probably won’t do anytime soon, you’ll be mostly downloading packages.

1 Like

Like the previous post said, accidently uploading the wrong files is something that only happens if your uploading your own package. Something you will not likely do for a long time. You will mostly only be using two commands for npm.

  1. npm init (this sets up you package.json file)
  2. npm install (this is how you download packages to use)
    The adduser command doesn’t actually do anything while your running the tutorial. If you use it outside the tutorial then it would add the account. And that’s something you only need if your uploading a package. Lastly, I’m not sure what your mean about version triggering an upload, but if it’s something that you are worried about, you can always change the version number by altering the package.json file or by running npm init again. Hope that helps.
1 Like

@elisecode247 @Josh5231 Thanks a lot for replying!
So to upload anything to their repositories I need that package.json file all set, and if I try that publish command on any other directory in my computer it won’t let me, right? I was worried about the version thing too because, after reading its description, it had a similar ‘upload you stuff to their repo’ behaviour.

Thanks for clarifying the adduser part too. I was worried because from my experiece a program that runs in the command prompt ends as soon as it throws you back to the ‘line’ before you ran it. I assumed that the tutorial just ended (and that’s why we have to run ‘how-to-npm’, ‘how-to-npm verify’, etc several times), the tutorial had no way to track what we did because it already finished and we were back in our machine, the main scope.

I’m not a fan of the node school workshops. They are not beginner friendly. Try reading the docs from npm to see if they are any better: https://docs.npmjs.com/getting-started/what-is-npm

I just pulled up the “how-to-npm” and the lesson on versions states:

[quote]
npm has a special command called npm version which will update your
package.json file for you, and also commit the change to git if your
project is a git repository. You can learn more at `npm help version[/quote]

In other words it just updates the package.json file and commits the change to your git. It dosen’t upload anything.

Form the lesson on log-in

I not sure that it “must” have the package.json file, but it is easy enough to remove any files even if you do happen to upload the wrong files. But as stated earlier, you will not likly be needing to upload anything to npm any time in the near future.